TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Powerwall Potential Security Issues

Telsa support seem to have considerable remote access to the internals of powerwall gateways. Most people will likely have the gateway on their internal lan. If it's a wired lan, then the gateway has the potential to see all the traffic on the lan.

If Tesla support got hacked, this would provide a path into the lan of lots of Tesla's customers, with the potential for doing considerable harm.

Ideally the gateway would be isolated on segment of its own, to prevent it from snooping on traffic, and allowed access only to the internet, and such lan web traffic as its owner requires, but this is not something the typical owner will know how to do.

You could argue basically the same thing with software updates. If someone was able to hack the software update server (along with the security hashes) it could be big trouble.

What do you think would be the ideal solution? Tesla buying a new dedicated line to someones house (not being a dick- maybe Cellular?). I think we should trust that Tesla has put software / hardware in place to prevent such attacks -- and most traffic is SSL anyways.

You could argue basically the same thing with software updates. If someone was able to hack the software update server (along with the security hashes) it could be big trouble.

Click to expand...

One could hope that such things are better protected. Indeed, if updates are signed, there needn't be anything potentially vulnerable on the update server. The worst a hacker could do would be to prevent updates from taking place.

This is the age-old IoT vulnerability problem. I'm less worried about a company like Tesla where they at least have a decent software group than a company like LG. I would guess the chances of somebody getting onto my network through my washing machine are probably higher than through my Powerwall.

Even so, it would probably take a targeted hack to do any serious damage on my network. The most likely thing to happen would be for the Powerwall to be co-opted for a botnet. For this reason, I haven't bothered to isolate the Powerwall in my network.

Isn't the same thing true for everything you use. From your Wifi Router (like eero), to Tesla' Vehilces, to ADT home security, to Nest to Ring, to Hunter Douglas home automation blinds, to HomePod, etc...

Why just single out the Tesla Powerwall. The assumption is if you an get to it from your iPhone or android device when not at home, then it's possible that it's vulnerable regardless if the vendor's NOC or not in involved.

Isn't the same thing true for everything you use. From your Wifi Router (like eero), to Tesla' Vehilces, to ADT home security, to Nest to Ring, to Hunter Douglas home automation blinds, to HomePod, etc...

Why just single out the Tesla Powerwall. The assumption is if you an get to it from your iPhone or android device when not at home, then it's possible that it's vulnerable regardless if the vendor's NOC or not in involved.

Click to expand...

Exactly, anything on the network is a source of risk. I worry more about the cheap android based stuff (kids tablets, etc) that will never see an update and the streaming device as much as anything.

Worse is the teenage kid friends that visit and think they need to be in everyone’s WiFi.

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

Click to expand...

You would have to be on the property first for that. If the target was high value, its' pretty likely that they would have recorded surveillance, monitored alarm and possible on site security.

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

Click to expand...

IP based security cameras would have the same risk. Good point. Maybe I should move those over to a VLAN and isolate mine.

I don't know. For me it's the remote attacks that are scary, not the physical attacks. The number of people with the skills, motivation and access to do a local attack is so much smaller than the number of people on the Internet trolling for easy targets that it seems like the risk is comparatively small. Besides, I think the attack surface when you include that kind of attack is going to be huge. There are probably plenty of other undesirable things that somebody with that kind of physical access could do if they wanted to.

All of this is one more reason to have IoT devices on a separate guest network. Whether or not that's good enough depends on the Wifi AP and how it's segmented (name, VLAN, etc.). But there is no way these devices need to be on the same Wifi/SSID/VLAN as the rest of your internal devices (PCs, file server, etc. traffic).

For some level of protection, that's the first thing to do. How often does the firmware in your wifi thermometer and refrigerator get updated? (I don't have a connected reefer but the wifi thermometer is very useful, to remotely turn things up and down, and, no, it's not a bleeping Nest!)

So, the point was: The PWs should be on this guest network also, as most of their talking would be external.

Telsa support seem to have considerable remote access to the internals of powerwall gateways. Most people will likely have the gateway on their internal lan. If it's a wired lan, then the gateway has the potential to see all the traffic on the lan.

If Tesla support got hacked, this would provide a path into the lan of lots of Tesla's customers, with the potential for doing considerable harm.

Ideally the gateway would be isolated on segment of its own, to prevent it from snooping on traffic, and allowed access only to the internet, and such lan web traffic as its owner requires, but this is not something the typical owner will know how to do.

Click to expand...

This is really the case with almost any device you have in your local network.

- Computers can get remote updates, those updates could contain malware
- Lots of devices such as WiFI doorbells, camera's, accesspoints, routers all run some kind of Linux, they could contain backdoors.
- Mobile phones are a security nightmare.
- Smart TVs, STBs, smart lights with gateways, etc, etc.

If you don't trust the powerwall, don't hook it up to your network. Use a guest network or something. This goes for all WiFi devices you have in your home.

So the technician came, fixed a gateway, and then left. Still, I'm not getting accurate readings. My house is not producing energy yet it says it is. Also a conduit has to be supplemented with an extra one to not overload a conduit as designed and installed. Super strict inspector. Hopefully an electrician will be scheduled in the next couple weeks.

All of this is one more reason to have IoT devices on a separate guest network. Whether or not that's good enough depends on the Wifi AP and how it's segmented (name, VLAN, etc.). But there is no way these devices need to be on the same Wifi/SSID/VLAN as the rest of your internal devices (PCs, file server, etc. traffic).

Click to expand...

Exactly. We have two networks in the house PRIVATE and GUEST. Private(actually a work-from-home requirement too) has PoshNamedNotCheap Routers and Firewalls, and they have a cost-licence MAC address limit, so if all visitors hooked up to that we'd hit connectivity limits for known -MACs ...

All the rest get the GUEST password and good luck tot hem! That WiFi/network gets them straight out of the door bypassing all the security we have on the private network

Meta

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.